Prior to the recent headline-grabbing TalkTalk cyber security breach, businesses may have thought such incidents only affected big American companies, such as the likes of Sony and Ashley Madison. The TalkTalk story brings home that cybercrime is a global issue which is set to affect UK businesses more and more in future and to which small and medium-sized enterprises (SMEs) are not immune.
A government report from earlier this year indicated that 81% of large businesses and 60% of small businesses had suffered a cyber security breach in the past year, and the average cost of breaches to business had nearly doubled since 2013. You can no longer assume that because your business isn’t national, high profile, or based around online sales you’ll be safe. Cyber criminals, as with any other kind, will target anyone and may see smaller businesses as more vulnerable.
Cyber security breaches carry a number of adverse potential consequences. Aside from the business interruption of evaluating and repairing any damage caused, through implementing emergency measures and potentially notifying your customers, breaches of cyber security are bad publicity and erode the trust and confidence you spend so long building with your customers. Where a breach results in your customers suffering a loss, you may find they turn to you for compensation. Defending legal claims, and dealing with more informal ones, can be expensive and risks further damage to your reputation.
So, what can you do about cyber risk? Well, as with every other risk, take steps to mitigate it, and insure against it. Many insurance companies offer a policy covering cyber-attacks, and practical advice on risk management and loss prevention. Mitigating and minimising your risk requires more than just effective firewalls and antivirus software. Implementing segregated networks and least-privilege models ensures that the effect of any breach (be it external or by an employee) is minimised. Network segregation creates sub-partitions allowing you to limit access to sensitive information and a least-privilege model gives users only the permissions necessary for them to carry out their role. However, to remain effective these systems need regular checking and updating. Whilst effective monitoring, alerting and filtering software will help anticipate and prevent attacks, but training for users on how to identify and avoid suspicious emails and websites is also needed as things like phishing emails become increasingly sophisticated.
Cyber security isn’t just a practical requirement, it’s a legal one. Almost every business will hold personal data, and data protection legislation requires them to have adequate security measures in place to protect that data. Businesses who suffer a breach may be subject to fines or sanctions from their professional bodies or the Information Commissioner’s Office (ICO). Holiday insurance company Staysure were fined £175,000 by the ICO after their cyber security failings allowed hackers access to customer credit card and medical details. SME’s can no longer afford to ignore the risks.
By Elliot Fry of top 100 law firm Cripps